Quantcast

take care - suhosin can effect Mapbender administration and block requests

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

take care - suhosin can effect Mapbender administration and block requests

Astrid Emde (WhereGroup)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

some of you may have problems saving changes within the Mapbender
administration. This is not a Mapbender problem. It can be caused by
Suhosin, as Suhosin defines limits for example for number of POST
variables, maximum length of arrays or maximum length of values.

What is Suhosin?
Suhosin is an open source patch for PHP. "The goal behind Suhosin is to
be a safety net that protects servers from insecure PHP coding
practices." In some Linux distributions (notably Debian and Ubuntu) it
is shipped by default.
http://en.wikipedia.org/wiki/Suhosin

What can you do?
You can deactivate Suhosin to run the simulation mode:
 suhosin.simulation = on

In simulation mode violations are logged as usual, but nothing is blocked.
http://www.hardened-php.net/suhosin/configuration.html#suhosin.simulation

The log-messages will tell you which violations take place and you can
increase the parameters.

It may be necessary to increase the following parameters:
suhosin.request.max_value_length
suhosin.get.max_array_depth
suhosin.get.max_array_index_length
suhosin.get.max_name_length
suhosin.get.max_totalname_length
suhosin.get.max_value_length
suhosin.get.max_vars

Find out more about the parameter at:
http://www.hardened-php.net/suhosin/configuration.html

After changes you have to restart your apache
- --

Best regards

Astrid Emde

- ----------------------------------
Aufwind durch Wissen!

Qualifizierte OpenSource-Schulungen
bei der www.foss-academy.eu

- ----------------------------------

 Astrid Emde
 WhereGroup GmbH & Co.KG
 Eifelstraße 7
 53119 Bonn
 Germany

 Fon: +49(0)228 90 90 38 - 19
 Fax: +49(0)228 90 90 38 - 11

 [hidden email]
 www.wheregroup.com

Amtsgericht Bonn, HRA 6788
- -------------------------------
Komplementärin:
WhereGroup Verwaltungs GmbH
vertreten durch:
Olaf Knopp, Peter Stamm
- -------------------------------
 pgp-public key:
 http://pgp.mit.edu:11371/pks/lookup?search=0x06DA52D72D515284
  Signierte und/oder verschlüsselte Nachrichten sind sehr willkommen
  Signed and/or encrypted mail is highly appreciated
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAk7d8NcACgkQBtpS1y1RUoTnBQCgrHdfhlYdBobeWyIWsQo3ct9B
Pa0AoKHiwfod3lofp8ch9pzJPqJG53aK
=lHNc
-----END PGP SIGNATURE-----
_______________________________________________
Mapbender_users mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapbender_users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: take care - suhosin can effect Mapbender administration and block requests

Stephan Holl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Astrid,

Astrid Emde <[hidden email]>, [20111206 - 11:39:20]

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> some of you may have problems saving changes within the Mapbender
> administration. This is not a Mapbender problem. It can be caused by
> Suhosin, as Suhosin defines limits for example for number of POST
> variables, maximum length of arrays or maximum length of values.
>
> What is Suhosin?
> Suhosin is an open source patch for PHP. "The goal behind Suhosin is
> to be a safety net that protects servers from insecure PHP coding
> practices." In some Linux distributions (notably Debian and Ubuntu) it
> is shipped by default.
> http://en.wikipedia.org/wiki/Suhosin
>
> What can you do?
> You can deactivate Suhosin to run the simulation mode:
>  suhosin.simulation = on
Isn't it the right way to make Mapbender more secure (speaking of
changing the coding-practice to make it compatible with suhosin) than
disabling the PHP-harden-framework?

/me is confused.

        Stephan

- --
Stephan Holl <[hidden email]> | Tel.: +49 (0)541-33 508 3663
Intevation GmbH, Neuer Graben 17, 49074 OS  |  AG Osnabrück - HR B 18998
Geschäftsführer:  Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk7d+aQACgkQjVOs3Ksi6lgWRwCfY6dxAwj/P23QwUkA9wOIA725
Mb8An3DIcfolwmE1QwRZ6z7Nfwj++AgW
=zeGc
-----END PGP SIGNATURE-----

_______________________________________________
Mapbender_users mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapbender_users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: take care - suhosin can effect Mapbender administration and block requests

Astrid Emde (WhereGroup)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephan Holl schrieb:

> Hello Astrid,
>
> Astrid Emde <[hidden email]>, [20111206 - 11:39:20]
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>
>> Hello,
>
>> some of you may have problems saving changes within the Mapbender
>> administration. This is not a Mapbender problem. It can be caused by
>> Suhosin, as Suhosin defines limits for example for number of POST
>> variables, maximum length of arrays or maximum length of values.
>
>> What is Suhosin?
>> Suhosin is an open source patch for PHP. "The goal behind Suhosin is
>> to be a safety net that protects servers from insecure PHP coding
>> practices." In some Linux distributions (notably Debian and Ubuntu) it
>> is shipped by default.
>> http://en.wikipedia.org/wiki/Suhosin
>
>> What can you do?
>> You can deactivate Suhosin to run the simulation mode:
>>  suhosin.simulation = on
>
> Isn't it the right way to make Mapbender more secure (speaking of
> changing the coding-practice to make it compatible with suhosin) than
> disabling the PHP-harden-framework?
>
> /me is confused.
>
> Stephan
>

Hi Stephn,

 I do not want you to deactivate suhosin at all. It has only some
default configurations that ado not fit and are too restrictive.

Please run suhosin.simulation to find out which suhosin variables you
have to change. After the change you can deactivate suhosin.simulation
again.

For example has suhosin a variable suhosin.post.max_vars which has the
value 200 by default.
When you update a WMS which has 200 Layer suhosin.post.max_vars is to
low and the request is blocked, which makes no sense.

http://www.hardened-php.net/suhosin/configuration.html#suhosin.post.max_vars

So do not disable suhosin but change the variables as they are set too
low for Mapbender.
- --

Mit freundlichen Grüßen

Astrid Emde

- ----------------------------------
Aufwind durch Wissen!

Qualifizierte OpenSource-Schulungen
bei der www.foss-academy.eu

- ----------------------------------

 Astrid Emde
 WhereGroup GmbH & Co.KG
 Eifelstraße 7
 53119 Bonn
 Germany

 Fon: +49(0)228 90 90 38 - 19
 Fax: +49(0)228 90 90 38 - 11

 [hidden email]
 www.wheregroup.com

Amtsgericht Bonn, HRA 6788
- -------------------------------
Komplementärin:
WhereGroup Verwaltungs GmbH
vertreten durch:
Olaf Knopp, Peter Stamm
- -------------------------------
 pgp-public key:
 http://pgp.mit.edu:11371/pks/lookup?search=0x06DA52D72D515284
  Signierte und/oder verschlüsselte Nachrichten sind sehr willkommen
  Signed and/or encrypted mail is highly appreciated
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAk7d/0oACgkQBtpS1y1RUoQRpwCfWyb9i+yh2d2g3C7FSDcUkjju
lxwAnRwP+p0BKIPaE3M47S6yKQUc49Ru
=oS41
-----END PGP SIGNATURE-----
_______________________________________________
Mapbender_users mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapbender_users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: take care - suhosin can effect Mapbender administration and block requests

Stephan Holl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Astrid,

Astrid Emde <[hidden email]>, [20111206 - 12:40:58]

[...]

> >> What can you do?
> >> You can deactivate Suhosin to run the simulation mode:
> >>  suhosin.simulation = on
> >
> > Isn't it the right way to make Mapbender more secure (speaking of
> > changing the coding-practice to make it compatible with suhosin)
> > than disabling the PHP-harden-framework?
> >
> > /me is confused.
> >
> > Stephan
> >
>
> Hi Stephn,
>
>  I do not want you to deactivate suhosin at all. It has only some
> default configurations that ado not fit and are too restrictive.
>
> Please run suhosin.simulation to find out which suhosin variables you
> have to change. After the change you can deactivate suhosin.simulation
> again.
>
> For example has suhosin a variable suhosin.post.max_vars which has the
> value 200 by default.
> When you update a WMS which has 200 Layer suhosin.post.max_vars is to
> low and the request is blocked, which makes no sense.
>
> http://www.hardened-php.net/suhosin/configuration.html#suhosin.post.max_vars
>
> So do not disable suhosin but change the variables as they are set too
> low for Mapbender.
Thanks for clarification.

Best

        Stephan

- --
Stephan Holl <[hidden email]> | Tel.: +49 (0)541-33 508 3663
Intevation GmbH, Neuer Graben 17, 49074 OS  |  AG Osnabrück - HR B 18998
Geschäftsführer:  Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk7eFfQACgkQjVOs3Ksi6lgjtQCgmirqvOZyDETin4EToM8qQAYC
A54AoKoysOdKr9652sxVtn0AmLVom6vq
=THKQ
-----END PGP SIGNATURE-----

_______________________________________________
Mapbender_users mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapbender_users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Monitoring module - status

jmckenna
Administrator
Hello everyone!

I am just wondering if the 'monitoring module'
(http://www.mapbender.org/MonitorCapabilities) is still
functioning/being maintained in Mapbender.  I need a software/service to
monitor WMS servers and I know Mapbender used to do this well; I'm just
checking that this is still the case, or do you recommend that I should
use a different tool.

Let me know your thoughts on this.  Thanks all! :)

-jeff



--
Jeff McKenna
MapServer Consulting and Training Services
http://www.gatewaygeomatics.com/


_______________________________________________
Mapbender_users mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapbender_users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Monitoring module - status

armin11
(by cc)

hello jeff,

we use this tool in rhineland-palatinate (state of germany) since many
years. the monitoring is started thru
http://trac.osgeo.org/mapbender/browser/trunk/mapbender/tools/monitorCapabilities.sh
. the script is used for us and if you want to monitor the services of
other users or groups you have to change the part "group:36". the
monitoring is controlled via cronjob. we control the 280 services
every 2 hours. the result is written as xml to the tools/tmp/ folder
(chown to the user which starts the cron!!!). this folder have to be
cleaned regulary (maybe with acron like this:
find /data/mapbender/tools/tmp -type f -print | xargs rm -f)
after the timeout (mapbender.conf) is reached, the results which are
also written to the xml files, are stored into the database. this is
done because you will have to many open db connections if you write
the results directly to db ;-)
i think the system is quiet reliable. it uses a diff class from
mediawiki to show the diffs between the local and the remote
capabilities.
we will do some further work in the next year:
1. scheduler for actualize the service metadata
2 rest interface to register services in the mapbender database
if you have any questions please ask them.

i changed the files part in the documentation - they were to old :-(

regards

Am Mittwoch, den 07.12.2011, 14:18 -0400 schrieb Jeff McKenna:

> Hello everyone!
>
> I am just wondering if the 'monitoring module'
> (http://www.mapbender.org/MonitorCapabilities) is still
> functioning/being maintained in Mapbender.  I need a software/service to
> monitor WMS servers and I know Mapbender used to do this well; I'm just
> checking that this is still the case, or do you recommend that I should
> use a different tool.
>
> Let me know your thoughts on this.  Thanks all! :)
>
> -jeff
>
>
>

--

Armin Retterath

Zentrale Stelle Geodateninfrastruktur Rheinland-Pfalz
LVermGeo RP

Ferdinand-Sauerbruchstraße 15
56073 Koblenz

Telefon: +49 (0)261/492-466
E-Mail: [hidden email]

http://www.geoportal.rlp.de


_______________________________________________
Mapbender_users mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapbender_users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Monitoring module - status

jmckenna
Administrator

>>
>> I am just wondering if the 'monitoring module'
>> (http://www.mapbender.org/MonitorCapabilities) is still
>> functioning/being maintained in Mapbender.  I need a software/service to
>> monitor WMS servers and I know Mapbender used to do this well; I'm just
>> checking that this is still the case, or do you recommend that I should
>> use a different tool.

Thanks for your responses Stephan and Armin, your responses were both
very helpful.  I will look into both options.

Have a good weekend :)

-jeff




--
Jeff McKenna
MapServer Consulting and Training Services
http://www.gatewaygeomatics.com/



_______________________________________________
Mapbender_users mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapbender_users
Loading...